Google discloses zero-click bugs impacting all Apple platforms

Discovered by Google's Project Zero team, and outlined in a publication on Tuesday, the Image I/O flaws are ripe candidates for zero-click attack vectors, reports ZDNet.

Image I/O ships with iOS, macOS, watchOS and tvOS, meaning the flaws were present on each of Apple's major platforms.

As noted in Google's disclosure, the Image I/O problems harken back to relatively well known issues surrounding image format parsers. These specialized frameworks are ideal for hackers, as malformed multimedia assets, if allowed to process, typically have the ability to run code on a target system without user interaction.

Project Zero poked at Image I/O using a process called "fuzzing" to see how the framework responded to malformed image files. The technique was selected because Apple restricts access to a majority of the tool's source code.

Google researchers successfully teased out six vulnerabilities in Image I/O and another eight in OpenEXR, a third-party "high dynamic-range (HDR) image file format" that is exposed through Apple's framework.

"It is likely that, given enough effort (and exploit attempts granted due to automatically restarting services), some of the found vulnerabilities can be exploited for [remote code execution] in a 0click attack scenario," writes Samuel Groß, security researcher at Project Zero.

Groß recommends Apple perform continuous "fuzz-testing" as well as "aggressive attack-surface reduction" in operating system libraries and messenger apps, another popular avenue for multimedia-based attacks. The latter tactic would reduce compatible file formats in the name of security.

Apple fixed the six Image I/O flaws in security patches pushed out in January and April, according to the report.